Building a Strong Cyber-Security FrameworkBy Samuel Greengard | Posted 2015-12-01 Email Print
Cyber-attacks are growing exponentially, so organizations must adopt a risk-based framework, including governance and a multilayer defense-in-depth approach.
Operating a business has always presented risks, but in today's increasingly connected world, the dangers have grown exponentially. Breaches, breakdowns and cyber-assaults have become a daily event.
"We have reached the stage where it is a very serious situation," explains Shahryar Shaghaghi, head of the technology practice at BDO Consulting. "We see evidence that breaches are occurring on a regular basis across every industry. Security is not a new topic, but today's open architectures and cloud-based environments have completely changed the picture."
A September 2015 study conducted by Neustar found that 50 percent of companies have suffered a distributed denial of service (DDoS) attack, and eight in 10 of the organizations attacked were targeted more than once. In addition, a recent Ponemon Institute report found that that 35 percent of business and IT leaders acknowledged that their firm had already experienced a nation state attack.
"Adversaries are well-funded and extremely sophisticated," warns Irfan Saif, principal and U.S. Technology Sector leader at Deloitte. "So it's critical to view protection within a holistic framework."
The upshot? Business and IT executives cannot rely on the same tools, solutions and approaches that worked well even five years ago. "Security has to be built into IT from the design stage, and it must permeate the entire framework," BDO's Shaghaghi explains.
Among other things, this means adopting a risk-based framework, using a multilayer defense-in-depth approach, and building a governance framework that spans an enterprise—and even connects to outside partners and customers.
Dealing With a Complex IT Security Environment
The migration away from mainframes and centralized IT has created enormous benefits for organizations. However, at the same time, it has introduced an extremely complex IT security environment that spans enterprise systems, mobile devices, clouds and even the emerging Internet of things (IoT).
Today, "Data resides in many shapes and forms," Shaghaghi says. "It exists in different formats, on different machines and devices. The boundaries have expanded, and the risks cannot be controlled only by internal processes and security tools. There's a growing need to manage relationships and take a comprehensive view."
That's a concept that Goodwill Industries of New York and Northern New Jersey understands well. The not-for-profit organization, which provides services and aid for the disabled, veterans and others, operates 43 retail stores across the region and serves about 95,000 people.
Not only does Goodwill manage central IT systems and computing technology in the stores, it also oversees data for contracted services, temporary staffing, Health Insurance Portability and Accountability Act (HIPAA) provisions and much more. "We deal with a lot of private and sensitive data that must be fully protected," says CIO Andre Bromes.
The organization has adopted an aggressive strategy on a limited budget and lean staffing. "We have 92 cents on the dollar going to supporting folks with disabilities, so we have to stay extremely focused on how to make sure we have adequate solutions in place, and that they can scale to the size and needs of the organization," Bromes explains.
Consequently, Goodwill relies on an integrated security platform, HawkEye G from Hexis Cyber-Solutions, to provide continuous monitoring of endpoints and the network, and to handle malware detection and other tasks. This supplements a firewall, gateway antivirus, an advanced persistent threat (APT) blocker and other basic protections. The organization also has robust security surrounding its bring-your-own-device (BYOD) initiative.
"One of the problems with conventional security techniques is that you can gain a false sense of security behind a firewall, using antivirus protection, and relying on other tools and solutions," Bromes points out. "It's important to have layers of security in place and recognize when network activity or system behavior indicates that a cyber-attack may be occurring."
Goodwill supplements its multilayered approach to cyber-security with ongoing training and education. "The biggest threat to any business exists between the keyboard and the chair," he says. "It's not to say that all folks are malicious—although some do have bad intentions—but social engineering techniques have become more sophisticated, and shadow IT is a persistent threat."
In the end, Bromes says that the organization has managed to keep its network and systems safe and clear of threats.